kallithea Changeset - 40db9e086773

Changeset - 40db9e086773

Parent rev.

Child rev.

[Not reviewed]

beta

0 1 0

Shawn K. O'Shea - 14 years ago 2011-11-07 22:06:24
shawn@eth0.net

Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.

1 file changed with 3 insertions and 0 deletions:

rhodecode/lib/auth_ldap.py

0 comments (0 inline, 0 general)

rhodecode/lib/auth_ldap.py

➞

Show inline comments

@@ @@ -78,24 +78,27 @@ class AuthLdap(object): @@
         Raises AuthenticationError if the credentials are rejected, or
         EnvironmentError if the LDAP server can't be reached.
         :param username: username
         :param password: password
         """
         from rhodecode.lib.helpers import chop_at
         uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
         if not password:
             log.debug("Attempt to authenticate LDAP user with blank password rejected.")
             raise LdapPasswordError()
         if "," in username:
             raise LdapUsernameError("invalid character in username: ,")
         try:
             if hasattr(ldap,'OPT_X_TLS_CACERTDIR'):
                 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,
                                 '/etc/openldap/cacerts')
             ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
             ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
             ldap.set_option(ldap.OPT_TIMEOUT, 20)
             ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
             ldap.set_option(ldap.OPT_TIMELIMIT, 15)
             if self.TLS_KIND != 'PLAIN':

0 comments (0 inline, 0 general)